Software Release - psad-2.2.1

02 January, 2013

The 2.2.1 release of psad is
available for download. This release
adds new support for detecting a type of scan that psad has been previously
blind to - IP protocol scanning (nmap -sO). Also in this release is the
ability to detect Topera IPv6
scans and differentiate them from Nmap IPv6 scans. Other important changes
include a new test suite, email throttling, and auto blocking timeouts that
can be set for each danger level. Here is the complete ChangeLog:

Added IP protocol scan detection (nmap -sO). A new psad.conf variable
PROTOCOL_SCAN_THRESHOLD defines the minimum number of different IP
protocols (default = 5) that must be scanned before an alert is
triggered.

Added detection for Topera IPv6 scans when --log-ip-options is used in
the ip6tables logging rule. When this option is not used, the previous
psad-2.2 release detected Topera scans. An example TCP SYN packet
generated by Topera when --log-ip-options is used looks like this (note
the series of empty IP options strings "OPT ( )":

Bug fix in --Analyze mode when IP fields are to be searched with the
--analysis-fields argument (such as --analysis-fields "SRC:1.2.3.4").
The bug was reported by Gregorio Narvaez, and looked like this:

Use of uninitialized value $_[0] in length at
../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
../../blib/lib/auto/NetAddr/IP/UtilPP/hasbits.al) line 126.
Use of uninitialized value $_[0] in length at
../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
../../blib/lib/auto/NetAddr/IP/UtilPP/hasbits.al) line 126.
Bad argument length for NetAddr::IP::UtilPP::hasbits, is 0, should be
128 at ../../blib/lib/NetAddr/IP/UtilPP.pm (autosplit into
../../blib/lib/auto/NetAddr/IP/UtilPP/_deadlen.al) line 122.

Added --stdin argument to allow psad to collect iptables log data from
STDIN in --Analyze mode. This makes it easier to run an iptables logs
through psad from arbitrary files like so:

# grep "IN=.*OUT=" /var/log/kern.log | psad -A --stdin

Added the ability to acquire Snort rule 'msg' fields from fwsnort if
it's also installed. A new variable FWSNORT_RULES_DIR tells psad where
to look for the fwsnort rule set. This fixes a problem reported by Pui
Edylie to the psad mailing list where fwsnort logged an attack that psad
could not map back to a descriptive 'msg' field.

Added the ability to set per-danger level timeouts when psad is
configured to run in auto-blocking mode. These timeouts are implemented
with new AUTO_BLOCK_DL*_TIMEOUT variables - one for each of the five
possible danger levels that may be assigned to a scanning IP address.

Added the ability to throttle emails generated by psad via a new
EMAIL_THROTTLE variable which is implemented as a per-IP threshold. That
is, if EMAIL_THROTTLE is set to "10", then psad will only send 1/10th as
many emails for each scanning IP as it would have normally.

The complete psad-2.2.1 ChangeLog can also be found
here
via the psad gitweb interface.